Reputation: 9820
How to log users into an asp.net website (via API) from a Windows application?
I have a WinForms app which interfaces to a website. In the Windows App, users can log into their website account via a SOAP webservice (username/password are sent with each web service call, made over HTTPS). I've been asked to create a button which will log them into the website in their browser, so they don't have to sign in twice if they need to use both the Windows app and the website at the same time.
Is it safe to also a button in the Windows app, which gives them one-click access to the website, by encoding their username and password in the URL? When using HTTPS, I'm not sure if the URL itself is encrypted, or only the request/response traffic. Would it be better to asymmetrically encrypt the user/pass into some kind of login token? And if so, how could I stop someone else from simply using that same token?
I'm not really sure what to Google to get an answer on this one and as changing APIs is relatively difficult once it's in use, I'd rather do something sensible the first time.
Upvotes: 0
Views: 102
Answers (1)
Reputation: 46
You could create a token and store this in your database with the username and a "use before" timeout. Then you include the the token in the url, and on the website you lookup in your database verify that the token exists and is connected to a user and is recent.
Upvotes: 1
Related Questions
- User Authentication in ASP.NET Web API
- How to call a Web API service from MVC using windows authentication?
- How to Setup Authentication for Web API?
- Web API, passing and using NT Username
- Authenticating ASP.NET Web API
- How to authenticate user while calling a webservice (in ASP.Net)?
- What's the simplest way to do authentication with a web API?
- Web API - Authentication Advice
- ASP.NET web service using forms authentication from a windows app
- How do I authenticate a user to consume a web service programmatically?